禁用包含系统文件

禁用包含系统文件

可能重复:
我如何安全地编译其他人的 LaTeX 文档?

我有一台正在渲染 LaTeX 文档的 Linux 服务器,我想禁用 LaTeX 对系统文件(如/etc/passwd等)的访问。无论如何,这可能吗?

答案1

你想要在 texmf.cnf 文件中设置“paranoid”

% Allow TeX \openin, \openout, or \input on filenames starting with `.'
% (e.g., .rhosts) or outside the current tree (e.g., /etc/passwd)?
% a (any)        : any file can be opened.
% r (restricted) : disallow opening "dotfiles".
% p (paranoid)   : as `r' and disallow going to parent directories, and
%                  restrict absolute paths to be under $TEXMFOUTPUT.
openout_any = p
openin_any = a

答案2

您还应该使用 TeXLive 的默认设置:

% Enable system commands via \write18{...}.  When enabled fully (set to
% t), obviously insecure.  When enabled partially (set to p), only the
% commands listed in shell_escape_commands are allowed.  Although this
% is not fully secure either, it is much better, and so useful that we
% enable it for everything but bare tex.
shell_escape = p

% No spaces in this command list.
% 
% The programs listed here are as safe as any we know: they either do
% not write any output files, respect openout_any, or have hard-coded
% restrictions similar or higher to openout_any=p.  They also have no
% features to invoke arbitrary other programs, and no known exploitable
% bugs.  All to the best of our knowledge.  They also have practical use
% for being called from TeX.
% 
shell_escape_commands = \
bibtex,bibtex8,\
kpsewhich,\
makeindex,\
repstopdf,\

相关内容